MFA in Entra is not working, or users are not being prompted for MFA!

Question

MFA in Entra is not working, or users are not being prompted for MFA!

Moritz 20

Hello Community,

I am facing issues with enabling MFA for users in Microsoft Entra. We cannot use "Conditional Access" with our Microsoft 365 Business Standard licenses as they only include "Entra ID Free". I do not want to activate "Security Defaults" because, as I understand it, all users would be forced to use MFA at once, and I would not be able to distribute it in a controlled manner. "Per-user multifactor authentication" seems to be new in Entra since October and would suit me best. However, it would be better to gradually add a few users to a group and use additional options, as it seems possible under "Multifactor authentication" in conjunction with "Authentication methods". However, all configurations fail. Users are never prompted to use MFA, even though the "Migration status" is set to "complete". Only in the legacy MFA, which now seems to be disabled, was I able to force users to use MFA.

Are "Multifactor authentication" in conjunction with "Authentication methods" not standalone options, but rather tied to "Conditional Access", "Security Defaults", and "Per-user multifactor authentication"? I cannot understand this, but I have come across this information during my research.

Or should I be able to offer MFA to users with "Multifactor authentication" in conjunction with "Authentication methods" independently of CA, etc.? If so, why are users not being prompted to use it? I have researched and tested a lot. I am happy to provide further details if needed.

Thank you

Regards

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-11-28T13:48:31.4966667+00:00

Hi @Moritz
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Moritz 20 Reputation points

2024-11-28T18:56:57.91+00:00

Hi Siri,

thanks a lot.It is correct, I do not want MFA to be activated for all users at the same time, as many will be overwhelmed by the process. I would not be able to support everyone in a short period of time. Therefore, I want to activate MFA for a few users at a time. We cannot use CA due to lack of license. I understood that Security Defaults would enable MFA for everyone. "Per-user multifactor authentication" works, meaning I can activate MFA for a few users and they are prompted to set it up. However, I would have liked the "Registration Campaign" to work so that users can ignore MFA for a while. Unfortunately, it has never worked so far. I have had various users and a test user try it. I always understood that "Multifactor authentication" and "Authentication methods" were an alternative to CA, Security Defaults, and "Per-user multifactor authentication". Maybe I just understand it wrong. But I will try it again with a test user as you recommended.

Thanks

Moritz
Marti Peig 970 Reputation points Microsoft Employee

2024-11-28T21:05:02.11+00:00

Hey Moritz,

Let me see if I'm getting it right. Authentication methods are the methods a user can use to register and use to supply the additional authentication factor during the Multifactor authentication process.

Both things work together, and MFA depends on the authentication factors your users have registered or enrolled and can use (ie. Microsoft Authenticator app).

In Entra, the section Authentication methods under Security, refers to the configuration of what methods, and who can use these in your tenant. There you can also run Registration campaigns that prompts users to set up more secure authentication methods.

Then you have the Multifactor authentication section under Security where you can setup providers and block or unblock users.

Finally, you have Per-user multifactor authentication section under Users, there is where you setup the MFA for each user. That setting is (in your case) the one that defines if your users are being prompted for MFA.

I hope this clarifies it.

Cheers
Moritz 20 Reputation points

2024-12-03T14:53:04.01+00:00

Hi,

late reaction... busy... sorry.

I activated one user @per user mfa. I first DID NOT take the user to a "mfa group" that i created for MFA... Campaign etc. The user GOT a prompt to use MFA. But NO methods were to choose for the user. Then i DID add the user to "my MFA group". Then the user could choose a method and the mfa activation was successful. I think i now understand that the "authentication methods" and the "multifactor authentication" do not work for their own. They seem to depend on "per user mfa" etc. I think i am now going to activate all user little by little. I will give up to get success with a registration campaign. its ok.

Thanks a lot for help
Marti Peig 970 Reputation points Microsoft Employee

2024-12-03T15:06:21.79+00:00

You are very welcome Moritz. Happy to see you are connecting dots and things are working as expected.
Moritz 20 Reputation points

2025-05-30T09:57:16.2766667+00:00

Hi,

i now understand, that the registration campaign doesnt work for users that do not have any mfa activated yet. The campaign only works for asking people to use the authentication app and no more longer for example sms that users have still activated. So it doesnt work, that i wanted to please users to use MFA generally and to snooze for a time. I wanted users trying to activate mfa for themselves to not to administrate each user individual.

Thanks

Accepted answer

1 additional answer

Your answer

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2024-11-28T13:48:31.4966667+00:00

Hi @Moritz
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Moritz 20 Reputation points

2024-11-28T18:56:57.91+00:00

Hi Siri,

thanks a lot.It is correct, I do not want MFA to be activated for all users at the same time, as many will be overwhelmed by the process. I would not be able to support everyone in a short period of time. Therefore, I want to activate MFA for a few users at a time. We cannot use CA due to lack of license. I understood that Security Defaults would enable MFA for everyone. "Per-user multifactor authentication" works, meaning I can activate MFA for a few users and they are prompted to set it up. However, I would have liked the "Registration Campaign" to work so that users can ignore MFA for a while. Unfortunately, it has never worked so far. I have had various users and a test user try it. I always understood that "Multifactor authentication" and "Authentication methods" were an alternative to CA, Security Defaults, and "Per-user multifactor authentication". Maybe I just understand it wrong. But I will try it again with a test user as you recommended.

Thanks

Moritz
Marti Peig 970 Reputation points Microsoft Employee

2024-11-28T21:05:02.11+00:00

Hey Moritz,

Let me see if I'm getting it right. Authentication methods are the methods a user can use to register and use to supply the additional authentication factor during the Multifactor authentication process.

Both things work together, and MFA depends on the authentication factors your users have registered or enrolled and can use (ie. Microsoft Authenticator app).

In Entra, the section Authentication methods under Security, refers to the configuration of what methods, and who can use these in your tenant. There you can also run Registration campaigns that prompts users to set up more secure authentication methods.

Then you have the Multifactor authentication section under Security where you can setup providers and block or unblock users.

Finally, you have Per-user multifactor authentication section under Users, there is where you setup the MFA for each user. That setting is (in your case) the one that defines if your users are being prompted for MFA.

I hope this clarifies it.

Cheers
Moritz 20 Reputation points

2024-12-03T14:53:04.01+00:00

Hi,

late reaction... busy... sorry.

I activated one user @per user mfa. I first DID NOT take the user to a "mfa group" that i created for MFA... Campaign etc. The user GOT a prompt to use MFA. But NO methods were to choose for the user. Then i DID add the user to "my MFA group". Then the user could choose a method and the mfa activation was successful. I think i now understand that the "authentication methods" and the "multifactor authentication" do not work for their own. They seem to depend on "per user mfa" etc. I think i am now going to activate all user little by little. I will give up to get success with a registration campaign. its ok.

Thanks a lot for help
Marti Peig 970 Reputation points Microsoft Employee

2024-12-03T15:06:21.79+00:00

You are very welcome Moritz. Happy to see you are connecting dots and things are working as expected.
Moritz 20 Reputation points

2025-05-30T09:57:16.2766667+00:00

Hi,

i now understand, that the registration campaign doesnt work for users that do not have any mfa activated yet. The campaign only works for asking people to use the authentication app and no more longer for example sms that users have still activated. So it doesnt work, that i wanted to please users to use MFA generally and to snooze for a time. I wanted users trying to activate mfa for themselves to not to administrate each user individual.

Thanks

Answer 1

Marti Peig 970 Microsoft Employee

Hi Moritz,

Can you confirm this is happening with users which have the per-user MFA status Enforced? Per-user MFA has three status (disabled, enabled, enforced).

All users start out Disabled. When you enroll users in per-user Microsoft Entra multifactor authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.

You have more information in https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

Also, check service settings and make sure you are not skipping MFA for trusted IP addresses, or when the remember MFA on trusted devices feature is turned on.

Cheers

Moritz 20 Reputation points

2024-11-28T19:12:25.6+00:00

Hi Marti,

thanks for helping.

If I understand correctly, I can confirm that all users were initially set to deactivated. I created a group for MFA and added a few users to the group for testing purposes. I then added the group under "Authentication methods" to "Microsoft Authenticator" as well as "SMS" and "Voice call". I adjusted and activated other points that seemed logical to me. However, no user was ever prompted for MFA. When I activate a user in the Legacy MFA or now in the "per User MFA", they are prompted for MFA. Unfortunately, this has nothing to do with the created group or the Registration Campaign, etc. In the Per-User MFA, which I have now tried out a bit and set a few users to enable, they are then automatically set to enforced.

Thank you
Moritz 20 Reputation points

2024-11-28T19:23:38.61+00:00

do i understand wrong? in entra the "multifactor authentication" and the "authentication methods" does not work alone? Do they belong to CA, Security defaults, per user mfa? or should "multifactor authentication" and the "authentication methods" work and prompt mfa to the users even if i did NOT used CA, Security defaults and per user mfa and legacy mfa?

Thanks
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-11-29T01:39:11.8066667+00:00

@Marti Peig, Thanks for your sharing.

Answer 2

Hi @Moritz

Thank you for posting your query on Microsoft Q&A.

I understand you don't want to activate the security default since you just want to enable MFA for a specific user. Then, regarding Per-user MFA, you stated that the "Migration status" is set to "complete". This means that you cannot use legacy authentication methods in per-user MFA; the authentication methods blade simply allows you to enable different sorts of methods for users, not enforce them. You can enforce MFA using per-user MFA or, if you wish, a Conditional access policy. To enforce MFA with Conditional Access Policy, you must have a premium license P1.

If users are not being prompted for MFA, can you test with a user by revoking the MFA sessions? It's possible that stored cookies in browsers are causing the issue. Try it in a private window and see if the user is being prompted or not, and check the sign in log for that specific sign in. If the user completed single factor or multi factor authentication, you could provide a screenshot of the sign in log.

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click `Accept Answer` and `Yes`.

Thanks,

B. Siri Chandana.

Share via

MFA in Entra is not working, or users are not being prompted for MFA!

1 additional answer

Your answer